Lenovo’s system update vulnerability allows man in the middle attacks


36517259_sLenovo is facing the heat once again as three major vulnerabilities are discovered in their system update software. This is a big blow to the Chinese PC manufacturer after Superfish, the pre-installed Lenovo adware contained a massive security flaw. This time, it’s even worse as it turns out that Lenovo’s own system update software could lead to a man in the middle (MiTM) attack.

The security flaws were discovered by IOActive who found out that Lenovo’s system update doesn’t fully verify executables downloaded from the internet. Due to this, it is possible for attackers to replace the legitimate update software with malware in a classic man in the middle scenario.

Free System privileges for everyone!

The system update software allows even the least privileged users to run the update. In order to do that the application includes a service called SUService.exe. This service runs as system user and allows any user to execute commands with higher privileges. This vulnerability present in Lenovo System Update (5.6.0.27 and earlier versions) presents a great security risk as it could allow malicious commands from an unprivileged user to be executed with system privileges, thus putting the malware in the driver’s seat. But wait, Lenovo software update must be checking the signatures of the downloaded files before running them, right? Unfortunately that is where the problem exists. As stated by IOActive:

“When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”

36718060_s

Thankfully though, Lenovo worked together with IOActive to release an update that addresses this issue (CVE-2015-2233). Other vulnerabilities fixed include:

As stated by Kevin Bocek, vice president of security, strategy and threat intelligence at Venafi:

The system of trust that keeps the internet running safely is “very fragile.”

Hopefully Lenovo and other PC manufacturers will improve security testing procedures for their software to ensure that their users are not exposed to such security risks.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a nice (vulnerability-free) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next